Malicious Crypto Extensions Steal Funds on Firefox Add-ons Store

More than 40 malicious extensions were discovered impersonating legitimate crypto wallets on the Firefox Add-ons store. These extensions were part of a malware campaign known as “FoxyWallet,” which aimed to steal users’ funds by exfiltrating wallet secrets to attacker-controlled servers. The malicious code within these extensions checks for input strings longer than 30 characters, filtering for realistic wallet keys or seed phrases, and then sends the data to the attackers. Additionally, the victim's external IP address is transmitted, allowing for tracking or further targeting.

The FoxyWallet creators exploited the fact that official extensions are open source. They cloned the real codebases of popular wallets such as Coinbase Wallet, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, and MyMonero, and inserted their own malicious logic. This allowed the extensions to behave as expected while secretly stealing sensitive data. The campaign appears to have been active since at least April, with new malicious extensions added as recently as last week. Some of these fake extensions were still available on the Firefox Add-ons store despite the findings being reported to Firefox using its official reporting tool.

Mozilla, the creator of Firefox, acknowledged the issue in a statement, saying that the firm is aware of attempts to exploit Firefox’s add-ons ecosystem using malicious crypto-stealing extensions. Mozilla has taken steps to identify and take down such add-ons quickly through improved tooling and processes. Many of the malicious extensions flagged in the report had been removed by Mozilla's team before publication, and the firm is in the process of reviewing the remaining few add-ons identified as part of its ongoing commitment to protecting users.

Mozilla’s Add-ons Operations Manager, Andreas Wagner, described the situation as a “constant cat and mouse game” with malware developers attempting to work around the firm’s detection methods. Wagner noted that Mozilla has uncovered “hundreds” of scam crypto wallets in recent years, highlighting the persistent threat posed by such malicious activities. The firm is actively working to enhance its security measures to better protect users from these threats.

To avoid falling victim to the FoxyWallet scam or similar threats, users are advised to only download and install extensions from verified publishers. It is also recommended to treat extensions as full software assets, use an extension allow list to restrict installation to pre-approved, validated extensions only, and implement continuous monitoring rather than relying on one-time scanning. These precautions can help users safeguard their sensitive data and prevent unauthorized access to their crypto wallets.